Home Depot Asked to Disclose Breach Settlement Details

A Georgia district judge has asked Home Depot to disclose communications that were sent to issuers about a deal with MasterCard to settle fraud losses and other expenses suffered by banks and credit unions in the wake of the retailer's 2014 data breach.

In part, plaintiffs' attorneys will be reviewing communications to see which, if any, were sent with Home Depot's knowledge, and determine if some banks and credit unions felt obliged to accept terms of the settlement without fully understanding or knowing all of the financial terms.

"Under MasterCard's rules, this [settlement] process provides partial compensation for certain losses financial institutions have incurred as a result of data breaches and does not require a release of financial institutions' claims," plaintiffs' counsel notes in a motion for injunctive relief filed Dec. 8. "Home Depot and MasterCard instead have sought to turn the card recovery process into a pseudo-class settlement that releases all the claims in this litigation. In the meantime, class members have received misleading and coercive messages about what is happening and are being told they must act immediately or lose their rights. In fact, the deadline for some absent class members to act already has passed."

In a Dec. 15 statement, the attorneys for the financial institutions suing Home Depot note: "We are pleased the court agreed that the communications received by financial institutions about the Home Depot/MasterCard settlement were 'misleading and coercive' and warrant further scrutiny. The order granting immediate discovery will allow the court to learn all the facts about Home Depot's agreement with MasterCard and determine whether to grant plaintiffs' request to vacate any releases and require a curative notice be sent to class members. In the meantime, we recommend that financial institutions not accept any tentative settlement offer until sufficient information is provided that enables them to make an informed decision."

Attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says the order entered by the judge this week places both parties on an equal footing, "ensuring that accurate and transparent communications regarding potential settlement shall be shared with both parties ahead of time, contain certain disclosures and be up front on the settlement."

Pierson says the ruling ensures "basic fairness," and puts both sets of counsel on notice that they must be responsible for their notice to class members.

Communications About Proposed Settlement

ThreeÂ paymentsÂ and core-banking processors -Â FIS,Â FiservÂ andÂ Vantiv - sent letters to issuers last month about MasterCard's proposed settlement with Home Depot, according to the Atlanta Business Chronicle. Each letter specified response deadlines from Dec. 2 through Dec. 7.

The letters also note that any issuer that accepts the terms of the "alternative recovery offer," part of MasterCard's account data compromise program, forfeits its rights to pursue further compensation through a class action suit.

But Home Depot says it was not involved with or aware of any communications that were sent to banks and credit unions.

"There is a tentative settlement in place with MasterCard, but I can't discuss the details of the settlement," Home Depot spokesman Stephen Holmes told Information Security Media Group on Dec. 4. "What I can tell you is that we did not send any communications, nor were we aware of any communications being sent."

During the discovery process granted by the court this week, plaintiffs' attorneys will gauge whether they believe Home Depot did, in fact, have no knowledge of the communications. A hearing will likely be held in February, Home Depot says, at which time the judge will determine whether any further relief is necessary.

Claims Against Home Depot, So Far

Attorneys representing banks and credit unions in their class-action suit claim Home Depot used deceptive practices to convince issuers to accept a settlement for which no financial details were provided (see Will Banks Reject Home Depot Breach Settlement?).

What's more, plaintiffs' counsel claims Home Depot and MasterCard contacted banks and credit unions about accepting the settlement before notifying the banks' attorneys that a settlement had even been reached.

"Until Home Depot discloses all the facts relating to its agreement with MasterCard, financial institutions should reject any settlement that does not offer significant reimbursement for their losses beyond what they are already entitled to receive under MasterCard's rules without releasing their legal claims," the attorneys note in a Dec. 4 statement about the settlement proposal.

Those attorneys argue that recovery paid out through the account data compromise program should be paid regardless of whether a class-action suit seeking additional compensation is filed.

"The settlement uses MasterCard's Account Data Compromise (ADC) program to offer financial institutions partial recovery amounts for their losses sustained during the data breach," plaintiffs' attorneys note in their Dec. 4 statement. "However, these settlements do not disclose to financial institutions that they are not required to sign a release in order to participate in MasterCard's ADC program, and should be able to retain their right to pursue legal claims against Home Depot."

On Nov. 30, those attorneysÂ filed a motion to have the court force Home Depot to immediately disclose details about the settlement.

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.